b'MEMORANDUM\n\n\nTO    : Donald Rappaport\n          Chief Financial and Chief Information Officer\n\n\nFROM : Jim Cornell\n         Area Manager\n         Washington Field Office\n\nSUBJECT : Final Audit          Report:     Review    of   GAPS    Security     (ACN:\n          A1180013)\n\n\nThis is our subject audit report covering the results of our security assessment of the\nDepartment=s Grant Administration and Payment System (GAPS). The\nobjective of the review was to evaluate the security posture of the\nGAPS automated payment processes, including the production\nenvironment and associated information technology considerations\nwithin the Department=s communication infrastructure.\n\nThe assessment identified a number of technical or procedural\nsecurity exposures which affect the overall security surrounding\nthe GAPS production environment. They are directed to you for your\naction as either the Chief Financial Officer or the Chief\nInformation Officer. To assist you in your determination of the\nrelative significance of the review observations, we have\ncategorized them as to high, moderate or low risk. Many of the\nexposures were discussed with the Office of Chief Financial Officer\n(OCFO) officials and Department of Education Central Automated\nProcessing System (EDCAPS) contractor staff during the course of\nthe review.     Due to the sensitivity of the exposures and\nrecommendations identified during the review, we are not including\ndetailed information in this report.     That information will be\nprovided to you under separate cover.\n\nSummary Findings\n\nThe review of GAPS security identified a number of opportunities\nfor the enhancement of     the overall security posture of the\nproduction application and its operational platform. Improvements\ncan be made in the areas of security access control, security\n\x0coption settings, audit trail controls, cash management, security\nadministration,   ensuring    accountability,   and    appropriate\nsegregation of developers from security and application functions.\n\n\nSecurity Option Settings. The router and computer systems used\nfor the web server, and production GAPS database appeared to\nutilize an excessive number of default settings. Use of default\nsettings without appropriate tailoring of the settings to the GAPS\nenvironment could allow individuals inadvertent unauthorized access\nto GAPS data and GAPS processes. In addition, other settings could\nbe strengthened to make the security posture stronger.\n\nAudit Trail Controls.      During our review we noted several\nopportunities for the GAPS development team to enhance the use of\naudit trails and to limit the use of group user IDs. Audit trail\ncontrols are the primary detective controls used to evidence a\nseries of events or transactions within an application. The use of\ngroup user IDs can significantly reduce the effectiveness of\ncontrols over user authentication and identification.      Stronger\naudit trail controls should be implemented to protect the integrity\nof the information processed through GAPS. In addition, the access\nlevel of individual user IDs should be consistent with business\nrequirements due to the sensitive nature of the application.\n\nCash Management Controls. Our review found weaknesses in the\nprocedures with regard to certification of the use of Federal funds\ndrawn through GAPS. A combination of preventive and detective\ncontrols are necessary to ensure adequate cash management of\nFederal funds.    The use of a robust electronic signature-based\nprocess or an interim manual signature procedure can provide the\nDepartment with increased grantee accountability for Federal\nfunding requests.\n\nSecurity Administration. Our review identified a significant\nnumber of users that had been assigned to more than one user group,\nwhich may have permitted excessive and/or incompatible access\nlevels to GAPS functionality.      Assignment of new user groups\nresponsibilities should be documented in a thorough manner to\nsubstantiate the business need for the additional user group. In\naddition, more specific procedures should be introduced to ensure\nindividual users do not belong to more than one user group, or if\nnecessary, documented as to the business reason of why the user\nrequires additional access and how this additional access will be\nmonitored.\n\nGeneral Security. Opportunities are present to improve general\nsecurity controls over the application and operational platform.\n\x0cPage 3 - Mr. Donald Rappaport\n\n For example, limiting of access to GAPS user documentation and\nprocesses to only those Internet users who are GAPS users;\nenforcement of mandatory password changes for GAPS user IDs; and\nautomated techniques for ensuring external GAPS users are, in fact,\nthe users they represent themselves to be for accessing GAPS, are\nthe types of security improvements which can be made related to the\nGAPS application. In addition, our review also noted a significant\nnumber of ports within the communication infrastructure configured\nwith modem devices, presenting Aback door@ opportunities into the\nDepartment=s network environment, including GAPS. Uncontrolled use\nof modems within the Department   =s communication infrastructure\nlimits the effectiveness of protection provided by its firewalls\nand routers.\n\nSegregation of Duties. Our review identified several areas where\ncontrols can be strengthened to ensure adequate separation of\nduties within critical application functions.          Super-users,\ndevelopers, and managers are key individuals whose access should be\nlimited to affect an appropriate segregation of duties which\nensures compliance with OMB A-130, OMB A-127, and OMB A-123. Our\nreview identified what appeared to be an inordinate number of\nsuper-user IDs and group IDs, given the nature of GAPS\nfunctionality. Though privileged user IDs of these types provide\neasy system access to troubleshooting the GAPS production\nenvironment, they also limit the ability for system managers to\nclearly identify and authenticate users with privileged access.\nWhat We Recommend. We recommend that the OCFO take steps to\nimprove the overall security posture of the GAPS application and\nrelated communication infrastructure by taking appropriate action\non the specific recommendations related to the high and moderate\nrisk observations included as an attachment to this report.\nDetermination   of    the   appropriate  action    should   include\nconsideration of the costs versus benefits, relative risk and any\ncompensating controls impacting each audit observation. We also\nrecommend that the low risk observations be given appropriate\nattention in the OCFO=s overall security strategy.\n\nBackground\n\nThe Department is upgrading and streamlining its core management\nwork processes. This effort is known as EDCAPS. EDCAPS comprises\na suite of software packages, both off-the-shelf and custom\ndeveloped. It consists of the Financial Management System Software\n(FMSS), the Contracts and Purchasing Support System (CPSS), GAPS,\nand the Recipient System (RS).\n\x0cPage 4 - Mr. Donald Rappaport\n\nThe GAPS production application is a client-server system that\nincludes both custom developed and commercial-off-the-shelf (COTS)\nsoftware.   GAPS makes use of Saros products, Plexus Flo Ware\n(workflow system), Watermark (imaging), PowerBuilder (development),\nand Cognos Impromptu (reporting). The various software components\nin GAPS reside on servers and on client workstations located within\nthe ED Network (EDNET).    This review did not extend to reviewing\nthe security posture of Powerbuilder, Saros, or Cognos Impromptu.\n\nObjective, Scope, and Methodology\n\nThe objective of our audit was to evaluate the security posture of\nthe GAPS automated payment processes. It did not include an\nassessment of other components of EDCAPS, specifically, FMSS, CPSS,\nand RS.   The review addressed the primary GAPS application and\nassociated servers; components that provide communication pathways;\nand servers providing auxiliary processing.       We conducted our\nfieldwork from June 1998 through August 1998, in accordance with\ngovernment auditing standards. The scope of the review consisted of\nan assessment of 1) Infrastructure (Communications) Security, 2)\nComputer Security, 3) Application Security, and 4) Operations\nSecurity.   To identify security controls relevant to the GAPS\napplication, we interviewed responsible officials and operational\nstaff from the Department\n                        =s EDCAPS-GAPS development team. We tested\ncontrols and security features by interogating the communication\ninfrastructure and production environment using proprietary script\nutilities.\n\nStatement on Management Controls\n\nAs part of our review, we assessed the system of management\ncontrols, policies, procedures, and practices applicable to the\nautomated GAPS payment processes. Our assessment was performed to\ndetermine the security posture of GAPS. For the purpose of this\nreport, we limited our review to the assessment of the significant\ncontrols over the automated grant payment functions. Because of\ninherent limitations, a study and evaluation made for the limited\npurpose described above would not necessarily disclose all material\nweaknesses in the controls.    However, our assessment identified\nmethods to improve the security posture of the GAPS application. We\nhave recommended improvements to the controls by implementing\nstronger security controls (both preventive and detective). These\nweaknesses and their effects are fully described as an attachment\nto this report.\n\nAuditee Comments\n\x0cPage 5 - Mr. Donald Rappaport\n\n\nWe provided the OCFO officials and the EDCAPS contractor staff with\npreliminary findings and recommendations based upon the results of\nour review at the end our fieldwork.        They were in general\nagreement with the intent of the recommendations and plan to take\nappropriate corrective action to mitigate the exposures.         In\naddition, they expressed a strong interest toward working closely\nwith our review team to reach a mutually agreeable resolution to\ncorrecting the underlying exposures.\n\n                   *                   *                   *                   *\n\nPlease provide us with your final response to each open high and moderate risk recommendation\nwithin 60 days of the date of this report indicating what corrective actions you have taken or plan,\nand related milestones. The low risk observations are included as other\nmatters for your consideration, but do not require a response.\n\nIn accordance with Office of Management and Budget Circular A-50, we will keep this audit report\non the OIG list of unresolved audits until all open high and moderate issues have been resolved. Any\nreports unresolved after 180 days from date of issuance will be shown as overdue in the OIG=s\nSemiannual Report to Congress.\n\nPlease provide the Office of Chief Financial and Chief Information Officer / Financial Services Post\nAudit Group and the Office of Inspector General / Planning, Analysis and Management Services Staff\nwith semiannual status reports on corrective actions until all such actions have been completed or\ncontinued follow-up is unnecessary.\n\nIn accordance with the Freedom of Information Act (Public Law 90-23), reports issued by the Office\nof Inspector General are available, if requested, to members of the press and the general public to the\nextent information contained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation shown us by the EDCAPS project staffduring\nthis review.   Should you have any questions concerning this review,\nplease feel free to contact me on (202) 205-9538 or Brett Baker of\nmy staff on (202) 205-9744.\n\ncc:      Paul Gilbreath\n\x0c'